After presenting at both the MCT Virtual Summit and the MCT Live Summit in York this year I will also be presenting at SEF (SharePoint Exchange Forum). This time I will present on one of the topics I have come to love very much this year even if I hated it before I quite got the hang of it: Claims. I’ll walk you trough claims authentication, how it works, the anatomy behind it and how you need to implement it in your enviroment. Please join SEF and listen to me and many of my collegues, visit http://www.seforum.se/Pages/default.aspx to register now!
In this two part series I will demonstrate how you can use the new SharePoint 2010 Claims authentication to integrate with third-party authentication sources really simple. In this part I will show how to integrate with Windows Live, in the next part I will show how to integrate OpenID.
- SharePoint 2010 server, with a reachable website, running both HTTP and HTTPs
- Your very own Windows Live account (to register your application with Microsoft)
- My LIVE-STS-SETUP.ZIP file (Attached to the post)
Step 1: Register at Microsoft Service Manager
You will need to register your application at Microsoft. You will do this two times, first in the test-system INT, and then in the production system PROD. Microsoft will validate your solution before they will allow you access to the PROD environment. Basically this means you will have to do the setup twice, once for INT and after that for PROD. You need to go to Microsoft Service Manager. When you enter this site you will be redirected directly to the INT environment (a small INT label will indicate this in the top left corner of the site).
Click the “Register Your Site” link in the left menu on the site. The name field should be filled out with a free text, the DNS name must be your public domain name without any http or similar (and you must give the same value as you will use when running the setup script at your machine). Then click Submit, and you will have to confirm. Just click to confirm and your application will be created in the INT system. After this you will have to go and “Manage Your Site“, scroll down the page and click to edit properties. You will then have to check the advanced box to be able to change some properties. The first property you will need to set is Default Return URL which should be set to https://<www.yourdomain.com>/_trust/default.aspx, click to move to next page and find the Override Authentication Policy and change that value to MBI_FED_SSL
Step 2: Prepare web servers
The next step is to install the certificates that are needed to identify the remote server and also to setup the providers. For your convenience I have attached both the PROD and INT certificate and a nice PS1 file for you to do all the grunt work. Start a SharePoint 2010 Management Shell and then goto the directory where you downloaded the zip file. Go to explorer, unzip the file and edit the four parameters at the to of the script (Your domain, Unique id from windows live and the paths to the certs). Then run the script by simply typing .\setup-live.ps1.
Step 3: Configure the your application
Next you can start using the provider (only INT can be used if you have not yet been bumped into the PROD system). Goto the Web Applications Management in Central Administration. Highlight the application you wish to Live enable. Click the “Authentication Providers” button and then select whichever zone you want to configure. In the providers section you will now notice a LiveID and a LiveID-INT provider. Select your providers and then we are done! If you have not yet enabled Claims authentication for your Web Application this needs to be done before you can use the authentication from Windows Live ID. To do that goto powershell and run the following commands
$sajt = Get-SPWebApplication http://yourelitesite.com
$sajt.UseClaimsAuthentication = 1
Step 4: Test your application
Goto your url, depending if you have more than one authentication provider you will be promted to select which one to login. Note that when you are using the INT provider you will NOT be able to login using your normal account but instead you need to create a live account in the INT system (do that via the login page). Also note that the Live ID STS will NOT give you the email, but just the unique ID and you will need to construct a solution to provide a registration form for your users where they can enter email and whatever more you need.
Today I finally got time to go to the test center and write some of the exams for SharePoint 2010. So today I passed the 070-667 (TS: Microsoft SharePoint 2010, Configuring) and the 070-668 (PRO: Microsoft SharePoint 2010, Administrator). I’m still thinking about the developer certs, I’m no developer and I will never need them. It does take some time to write the exams, especially the PRO exams where the scenario texts are incredible long. I feel this completes pretty good for me together with my SharePoint 2010 Ignite Trainer appointment but let’s see if I have the time soon again for some certs..
If you have been working with 2010 for a couple of months and have previous experiences with SharePoint 2007 you should be alright. The official exams are for IT-Pro:
- 70-667 TS: Microsoft SharePoint 2010, Configuring
Microsoft Official Curriculum: Will cover configuration of SharePoint 2010 including deployment, upgrade, management, and operation on a server farm.
- 70-668 PRO: SharePoint 2010, Administrator
Microsoft Official Curriculum: Will cover advanced SharePoint 2010 topics including capacity planning, topology designing, and performance tuning.
If you are partner see https://partner.microsoft.com/40121316?msp_id=sharepoint2010ready for more information about how to get ready.